LPC55S69 Secure Boot

cancel
Showing results for 
Search instead for 
Did you mean: 

LPC55S69 Secure Boot

880 Views
simon_ott
Contributor I

I am following AN12283 in order to enable secure boot. So far, I have generated the necessary keys and then a signed binary with the elftosb-gui. Now I am trying to configure the CFPA page.

In section 5.3 in the AN, it is stated: "Prepare CFPA page in .bin file (example with RoT key 0-3 enabled is attached)". However, I don't see any example attached in the AN and no further notes on how to generate the CFPA page .bin file. In the user manual, it is said that "Prepare CFPA page using elftosb-gui PC tool". However, in the elftosb-gui, there is only one field that is part of the CFPA (the RKTH). So my question is, what is the right way to configure the CFPA page?

Then I was looking on the CFPA page layout. In table 179 of the user manual, it is said that the length of the RKTH_REVOKE field is 1 bit, at address 0x9DE18. However, then in table 180 the RKTH_REVOKE bit field is described as consisting of a total of 32 bits. However, the next field (PRINCE Region 0 IV Code) is at address 0x9DE30, which is only 24 bits from 0x9DE18. Is this a mistake in the user manual?

Also, in the application note, there are several warnings:

"In ROM A0 after programming signed image there is no way to read or write flash memory through ISP. Configure
the settings carefully. Only signed images with selected certificates are used."

- What is meant by ROM A0?

- Does this mean, that after programming the ROM with secure boot enabled (elftosb-gui "device" and "security" tab) and uploading a signed image, the protected flash region can never be change again through elftosb-gui, or is there a way to change it again?

- Can secure boot in general be disabled again, to continue application development and debugging through the MCUexpresso IDE?

Labels (1)
0 Kudos
1 Reply

380 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

Hi Simon Ott,

See attached package, inside the folder there is CFPA_0x9de00.bin. This is the prepared CFPA page bin file.

Open this bin file, you will see "55" which is the the RKTH_REVOKE byte . it means all the four RoTKs are enabled. (see description of ROTKH_REVOKE in AN12283)

pastedImage_2.png

"ROM A0" means, the ROM version is A0.

>>"Does this mean, that after programming the ROM with secure boot enabled (elftosb-gui "device" and "security" tab) and uploading a signed image, the protected flash region can never be change again through elftosb-gui?

Yes, you are right. we can't use elftosb-gui to change it again.

In order to update the image, we need to use SB2 file to download. see AN2283, 5.6 Signed image update capsule SB2

>> Can secure boot in general be disabled again, to continue application development and debugging through the MCUexpresso IDE?

Once we enable secure boot, we can't disable it again. After secure boot is enabled, please don't use MCUXpresso IDE download/debug.


Have a great day,
Zhang Jun

 

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos